Skip to content

Analyzing OpenAPI with a Postman Collection

Sift can use an existing Postman Collection as a fast and practical way to begin API security testing of an OpenAPI application. This allows teams to leverage the work they already have in Postman to quickly validate real application behavior without first authoring or maintaining an OpenAPI document.

Sift can ingest Postman Collection and Environment files to extract example input data, request structure, and request sequencing for the target API, even when an OpenAPI definition is not available.

To run Sift using a Postman Collection, include the following flags with sift run, along with any other required configuration options:

  • --pmc Specifies the Postman Collection file.
  • --pme Specifies the Postman Environment file. Only valid when --pmc is provided.

When a Postman Collection is supplied, Sift will:

  • Convert the Postman Collection into an OpenAPI definition for the duration of the run
  • Extract example input data from the Collection and the optional Environment file
  • Learn request ordering and interaction patterns from the Collection

Sift then combines this extracted information with its semantic reasoning engine to construct meaningful test sequences that reflect how the API is actually used. Using these sequences, Sift performs comprehensive API security testing against the target application.

The generated OpenAPI definition and all extracted information are ephemeral and do not persist between runs. This information is re-derived from the Postman Collection and Environment files each time Sift is executed, ensuring the analysis always reflects the current state of the Collection.

This approach provides a low-friction path to API security testing that leverages any existing Postman Collections that document an OpenAPI application, while still enabling Sift to reason deeply about API behavior and risk.